Protecting against common audit pitfalls

Feb 05, 2018
Now audit season is in full swing, here is a timely reminder of the most prevalent issues found in audit inspections.

A large proportion of Irish companies operate with a 31 December year-end and the audits of those entities are either underway or fast approaching. These audits may be the first time many auditors are applying both the EU Audit Reform rules as well as the IAASA Auditing Framework for Ireland. Both apply to all audits and auditors in Ireland and, in the area of independence and ethical requirements, involve significant changes from the previous regime. In addition to managing this change, auditors should also continue to seek improvement in how audits are conducted. But where do you start?
Several countries as well as the International Forum of Independent Audit Regulators now issue reports on audit findings, which are available for review. This article highlights issues found regularly in audit inspections around the globe that are relevant in the context of the current regulatory and auditing standard changes. These issues may be a good starting point for auditors deciding on focus areas.

Independence issues

The theory on independence is simple – you must remain independent from your audit clients so that you can maintain objectivity when assessing the information they are giving you. Yet, regulators frequently conclude that auditors have not demonstrated on the audit file how they ensure they are independent, while some regulators conclude that auditors are not independent.

The rules and guidelines designed to achieve this independence are detailed and complex. Not only do you, as an auditor, need to be happy that you are independent, you must also be happy that you would be perceived to be independent by a reasonably informed third party and you must demonstrate how you satisfied yourself of that. So, where does this go wrong?

Issues often arise some time into an audit relationship. Great care can be taken when accepting a new client to ensure that there are no issues and then in subsequent years, reliance is placed on this. No particular changes spring to mind when planning the audit, so assumptions are made that everything is still okay. The problem here is that sometimes changes are missed or forgotten. These changes can be with the auditor, the client or the rules, resulting in an inadvertent breach.

Personal independence can also be an issue. Auditors need to ensure that they are fully aware of all personal investments, even if a third party manages them. They also need to ensure that they are fully aware of the personal investments held by those with whom they have close personal relationships, because the rules extend beyond the auditor to those individuals.

The Audit Reform legislation brings in even more rules which, in theory, seem straightforward. However, certain services are now prohibited and there are rules around fees. These rules are untested and there are already many examples of how it is difficult to apply these rules in practice, something that requires sound judgement. Auditors should ensure that they allow plenty of time to consider these rules and, where uncertainty arises, consider consulting with legal advisors, Chartered Accountants Ireland and/or IAASA.

Risks

The concept of risk runs through every phase of the audit. Auditing standards require that before you start an audit, you get an understanding of the audit client and think about the possible risks of material error. You then need to decide whether those risks are significant risks. The main issue regulators find in this area is that the risks identified are very generic and not specific enough to the individual client.

This makes it very difficult to design procedures to address those risks properly, which is the next phase. For example, an auditor may identify that there is a risk that revenue may not be recognised correctly. That is a very wide risk and would give rise to the need to assess and test every single step in the revenue process from order right through to cash collection, and would probably give rise to very high levels of substantive testing. If the auditor continues the thought process and asks himself or herself how, for this client, could revenue be recognised incorrectly, the chances are that there is a smaller list of sub-sections of the revenue process where the risk arises, such as cut-off, or a manual or subjective part of the recognition process, such as applying percentage completion to construction contracts. Getting more specific in this way allows the auditor to focus their attention and testing on risky areas, making the audit more efficient and effective.

Audit regulators also find situations where the risk has been identified specifically, but the audit team then carries out a standardised work programme on that area without tailoring the work programme to ensure that they are covering the risk identified.
The last area where issues arise regularly in relation to risk is where new information becomes known during the audit. Auditors assess risks before they start an audit based on the information available. As the audit continues, the auditor may obtain new information that may be contrary to information used in assessing the risks. In this situation, it is crucial that the auditors revise their initial assessment and consider whether the audit test plan needs to be revised also. It is not sufficient for an auditor to think about these aspects, however – it must be documented on the audit file.

Controls testing

Similar to risks, controls testing is another area where things can go wrong in various phases of the audit. Part of the risk assessment in the planning phase of the audit involves identifying the controls the client has implemented to mitigate the risks of things going wrong.

In a similar way to risk identification and consequential direction of audit work, you must be sure that the control you identify actually deals with the risk you identified, and consider the results of your testing. Returning to the revenue recognition example in the risk section, you determined that the identified revenue recognition risk related to cut-off. You understand that there is a control in place whereby management review revenue on a weekly basis and you plan to rely on that. The question now is: does that control really address the cut-off risk? What exactly does the management review entail? If they are comparing revenue to budget and they appear to be in line, do they assume everything is okay, and if so, how would that review pick up the fact that revenue was pushed into the wrong period in order to meet the budget?

Having identified a control to help you get audit evidence and having ensured that it satisfactorily addresses the identified risk, you then need to test that the control operated effectively throughout the period under audit. A common finding here is in relation to controls that are found to be operating ineffectively throughout the period, but the auditor has failed to return to step one – reassess the risks and what further evidence is needed over the area concerned in the absence of that control.

Accounting estimates

Accounting estimates continue to be a difficult area for auditors to deal with and give rise to findings more regularly that any other auditing area. One of the most difficult areas for auditors is challenging management’s assumptions and methods. While management are expert in their business, the auditor must ensure that they challenge the assumptions made by management using an independent expert of their own if necessary. The auditor must determine whether other assumptions or methods could have been used and, if so, why they were rejected. They must also be on the lookout for management bias. Again, underlying all of this is the concept that the auditor not only needs to consider all these things, they also need to ensure that this work is fully evidenced on the audit file.

Conclusion

The pace of change in many aspects of the auditor’s work remains a challenge, but the fundamental concept of what an audit is and aims to achieve remains unchanged. While attention to the detailed requirements of standards and legislation is clearly necessary and important, there needs to be capacity at regular points along the audit timeline – before concluding on the audit – to step back and think about things within three broad categories: what could go wrong; how you will find out if it has gone wrong; and given what you have done, whether you need to change your initial view of what could go wrong.

Lisa Campbell is Head of the Audit Quality Unit at IAASA.